feat: support remote URLs for Rego policy in kosli evaluate by mbevc1 · Pull Request #875 · kosli-dev/cli

mbevc1 · 2026-05-08T22:14:05Z

Allow --policy https://host/policy.rego (or http://) on evaluate trail, evaluate trails, and evaluate input. Local file paths continue to work unchanged. Remote fetches honor --http-proxy and warn on plain HTTP.

Allow `--policy https://host/policy.rego` (or http://) on `evaluate trail`, `evaluate trails`, and `evaluate input`. Local file paths continue to work unchanged. Remote fetches honor `--http-proxy` and warn on plain HTTP.

claude · 2026-05-08T22:15:02Z

Claude finished @mbevc1's task in 2m 11s —— View job

Review of PR #875 — Remote HTTP(S) URLs for `--policy`

Run static analysis (build, vet, mod tidy)
Read changed files and understand the changes
Check if prior review feedback was addressed
Review for code quality, bugs, security, and testing
Post review findings

Static Analysis

All three checks pass:

go build ./... — compiles cleanly
go vet ./... — no issues
go mod tidy — no dependency drift

Prior Review Feedback

The 5 follow-up commits address nearly all prior feedback:

Feedback	Status
Status code checked before body read	✅ Fixed in `b6e7ba29`
Unbounded `io.ReadAll` → `io.LimitReader`	✅ Fixed with `policyMaxBytes+1` trick
SSRF via redirect	✅ `sameHostRedirectPolicy` added
3s timeout too tight	✅ Bumped to 10s
Rename `policyFile` → `policyRef`	✅ Done in `189d6600`
Comment about TLS/dial settings	✅ Added in `a526de21`

Code Review

Overall: this is a well-structured PR. The design is clean — loadPolicy dispatches between local/remote, security mitigations are solid, and tests are thorough.

Remaining nit (non-blocking)

Line 24 comment is redundant: The text 5 * 2^20 (5*1MiB) at the end of the comment block duplicates the inline // 5 MiB. The prior review suggested simplifying to just the clean comment block without the math. Very minor.

What's good

policyMaxBytes+1 pattern (evaluateHelpers.go:167-172): Reading one extra byte and checking length is a clean way to detect oversized responses without writing a custom reader.
sameHostRedirectPolicy (evaluateHelpers.go:181-189): Good SSRF mitigation — blocks cross-host redirects while still allowing same-host redirects (e.g., path normalization).
Test coverage is strong (evaluateInput_test.go:163-274): Tests cover local file, HTTPS fetch, non-2xx rejection, body-not-read-on-error, oversized body, cross-host redirect blocking, and proxy forwarding. This is exactly the right set of edge cases.
Consistent renaming: policyFile → policyRef throughout struct, flags, and function signatures. No leftover references.
policyFetchTimeout as var (evaluateHelpers.go:20): Allows test overrides — good testability practice.
Clean separation: loadPolicy, isRemotePolicyRef, and fetchRemotePolicy are small, focused, and independently testable.
Help text and examples updated in all three commands with remote URL examples.

Summary

Solid PR. Prior security and correctness feedback has been addressed well. The one remaining nit (redundant comment on the constant) is cosmetic and non-blocking. The code is clean, well-tested, and follows the codebase's established patterns.

feat: support remote http(s) URLs for --policy in kosli evaluate

733e6f5

Allow `--policy https://host/policy.rego` (or http://) on `evaluate trail`, `evaluate trails`, and `evaluate input`. Local file paths continue to work unchanged. Remote fetches honor `--http-proxy` and warn on plain HTTP.

mbevc1 added enhancement New feature or request go Pull requests that update go code labels May 8, 2026